Librem 5 Encryption Confusion

dln949 · October 29, 2021, 10:50pm

Got my Byzantium Librem 5 today. I followed the Quick Start Guide, which said to first, while it was powered off, let it charge. I did that.

After that I pressed the start button as the guide says to do in order to start it and get to the lock screen. However, it went to a disk encryption screen, and asked me to enter the passphrase. This was not described in the guide, I wasn’t sure what to enter, nor what it was trying to do. Being at a loss, I entered “123456”, since that was the default lock screen password in the guide. It accepted that, went past that screen, and then the lock screen appeared, and I had to use the default password of “123456”, as the guide said. Then, under settings>user, I changed the password to one I wanted.

But now, whenever I start the phone, it always goes first to that encryption screen, and I have to enter the passphrase of “123456”. I thought changing my password would apply to the passphrase for encryption, but it seems it does not.

Questions:

How do I change the encryption pass phrase at this point?
Why am I always presented with the encryption screen when I start the phone?

kschreyack · October 29, 2021, 11:41pm

Rebuild? From what I know of LUKS you can not change the password on encryption. You would have to blow away the volume and create a new, which would be a reinstall. I was planning to do this for my Librem 5 I just received yesterday.

If anybody has a solution to this w/o rebuild, I’d love to know more. Thanks!

Gavaudan · October 30, 2021, 12:18am

Have a look. It says Ubuntu but it should work:

rlong2 · October 30, 2021, 4:15am

I successfully used the $ sudo cryptsetup luksChangeKey /dev/mmcblk0p2 command to change the encryption password, and it can use the whole keyboard for input (not restricted to digits)

dos · October 30, 2021, 12:52pm

LUKS passphrase can be changed in GUI via the GNOME Disks app (which is installed by default).

tracy · October 30, 2021, 12:56pm

The thought occurred to me, what if you don’t give a hoot and didn’t want disc encryption to begin with?

I don’t want a philosophical argument on the pros and cons of encryption. What is the technical answer?

Skalman · October 30, 2021, 1:55pm

If you reflash yourself using the librem5-flash-image script, then there is an option called --variant where you can select “plain” or “luks”:

librem5-flash-image$ ./scripts/librem5-flash-image -h
[...]
optional arguments:
[...]
   --variant {plain,luks}
          Image variant to download ( plain, luks ), default is 'plain'

I guess that since it says default is ‘plain’ you will not get encryption unless you say --variant luks explicitly.

tracy · October 31, 2021, 1:59pm

Thanks. With encryption all the rage probably no one thinks of that.

So when the Gestapo seizes my phone, when they demand the decryption key, they will only get silence!

irvinewade · November 1, 2021, 6:09am

Set the encryption key to “there isn’t one”.

I don’t know all the pros and cons of having encryption but setting it to ‘a’ or ‘0’ or something easy to type may be better than not having it all - in case you want to have it later.

dln949 · November 1, 2021, 5:06pm

Thanks to all for the help, the suggestions above enabled me to change the password.

I perhaps didn’t make it very clear, my fault: My biggest issue is that, a noob like me, found it very disconcerting when the guide said the first thing I’d see is the lock screen, when in reality the first screen I saw was a screen asking for my disk encryption passphrase. I just stared at it for several seconds, glancing back and forth between it and the startup guide, thinking, “NOW what did I do wrong!!???”

Whe3zy · November 1, 2021, 5:10pm

Worked like a charm…I did the same thing initially as did dln949.

Thank you

magbar · March 14, 2022, 5:33pm

Hi
I received my Librem5 today and have already managed to lock myself out of it.
I changed the encryption password not thinking about my scandinavian keyboard layout which seems unavailable to me when asked for the decryption paraphrase after rebooting.

Is there any way to change the layout, and if so, how?
Or do I have to reflash the whole phone (already;) ?

dos · March 14, 2022, 5:47pm

You can use Jumpdrive to mount your eMMC on a PC over USB and change the password from there.

irvinewade · March 14, 2022, 11:25pm

Not that it helps you now but the LUKS man page says

It is therefore highly recommended to select passphrase characters only from 7-bit ASCII

I understand that even if you limit yourself to ASCII, with some keyboard layouts a needed ASCII character may not be available.